-
Notifications
You must be signed in to change notification settings - Fork 71
Commit 70beec0
committed
Fixes A Coverity
The info.name_length variable was not being checked to see if it was less than the size of name when passed into read_data. This was a simple fix.
Fixes:
```
lib/pkg_editor/src/pkg_editor.c:1632:5:
Type: Untrusted value as argument (TAINTED_SCALAR)
lib/pkg_editor/src/pkg_editor.c:1591:3: Tainted data flows to a taint sink
1. path: Condition "buffer != NULL", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1596:5:
2. path: Condition "input != NULL", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1596:5:
3. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1601:3:
4. path: Condition "ret != 0", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1612:3:
5. path: Condition "z_info.strm.avail_in > 0", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1612:3:
6. path: Condition "input != NULL", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1612:3:
7. path: Condition "!feof(input)", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
8. path: Condition "!read_data(&info, 20UL /* sizeof (info) */, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1619:5:
9. path: Condition "info.magic != 3203399403U", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1627:5:
10. path: Condition "info.kind == PACK_END", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1632:5:
11. path: Condition "!read_data(name, info.name_length, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1642:5:
12. path: Condition "out_dir_length + 2 > 12288UL /* 3 * 4096 */", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1652:5:
13. path: Condition "info.kind == PACK_DIR", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1654:5:
14. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1711:3:
15. path: Jumping back to the beginning of the loop.
lib/pkg_editor/src/pkg_editor.c:1612:3:
16. path: Condition "z_info.strm.avail_in > 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
17. path: Condition "!read_data(&info, 20UL /* sizeof (info) */, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1619:5:
18. path: Condition "info.magic != 3203399403U", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1627:5:
19. path: Condition "info.kind == PACK_END", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1632:5:
20. path: Condition "!read_data(name, info.name_length, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1642:5:
21. path: Condition "out_dir_length + 2 > 12288UL /* 3 * 4096 */", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1652:5:
22. path: Condition "info.kind == PACK_DIR", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1654:5:
23. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1711:3:
24. path: Jumping back to the beginning of the loop.
lib/pkg_editor/src/pkg_editor.c:1612:3:
25. path: Condition "z_info.strm.avail_in > 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
26. tainted_argument: Calling function "read_data" taints argument "info".
lib/pkg_editor/src/pkg_editor.c:1530:3: Tainted data flows to a taint sink
26.1. var_assign_parm: Assigning: "z_info->strm.next_out" = "data".
lib/pkg_editor/src/pkg_editor.c:1534:5:
26.2. path: Condition "z_info->strm.avail_in == 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
26.3. path: Condition "in_fd == NULL", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
26.4. path: Condition "feof(in_fd)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1541:7:
26.5. tainted_data_argument: Calling function "fread" taints parameter "*z_info->buffer". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/pkg_editor/src/pkg_editor.c:1542:7:
26.6. path: Condition "count < 1", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1547:7:
26.7. var_assign_alias: Assigning: "z_info->strm.next_in" = "z_info->buffer", which taints "z_info->strm.next_in".
lib/pkg_editor/src/pkg_editor.c:1550:5:
26.8. tainted_data_transitive: Calling function "inflate" with tainted argument "*z_info->strm.next_in" taints "*z_info->strm.next_out".
lib/pkg_editor/src/pkg_editor.c:1551:5:
26.9. path: Condition "ret != -2", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1551:5:
26.10. path: Falling through to end of if statement.
lib/pkg_editor/src/pkg_editor.c:1552:5:
26.11. path: Condition "ret == 1", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1554:7:
26.12. path: Condition "z_info->strm.avail_out == 0", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1614:5:
27. path: Condition "!read_data(&info, 20UL /* sizeof (info) */, &z_info, input)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1619:5:
28. path: Condition "info.magic != 3203399403U", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1627:5:
29. path: Condition "info.kind == PACK_END", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1632:5:
30. tainted_data: Passing tainted expression "info.name_length" to "read_data", which uses it as an offset.
lib/pkg_editor/src/pkg_editor.c:1531:3: Tainted data flows to a taint sink
30.1. var_assign_parm: Assigning: "z_info->strm.avail_out" = "size", which taints "z_info->strm.avail_out".
lib/pkg_editor/src/pkg_editor.c:1534:5:
30.2. path: Condition "z_info->strm.avail_in == 0", taking true branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
30.3. path: Condition "in_fd == NULL", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1537:7:
30.4. path: Condition "feof(in_fd)", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1542:7:
30.5. path: Condition "count < 1", taking false branch.
lib/pkg_editor/src/pkg_editor.c:1550:5:
30.6. taint_sink_lv_call: Passing tainted expression "z_info->strm.avail_out" to taint sink "inflate".
lib/pkg_editor/src/pkg_editor.c:1632:5:
31. remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
```TAINTED_SCALAR issue regarding info.name_length1 parent 1ddf0f1 commit 70beec0Copy full SHA for 70beec0
File tree
Expand file treeCollapse file tree
1 file changed
+8
-0
lines changedFilter options
- lib/pkg_editor/src
Expand file treeCollapse file tree
1 file changed
+8
-0
lines changedlib/pkg_editor/src/pkg_editor.c
Copy file name to clipboardExpand all lines: lib/pkg_editor/src/pkg_editor.c+8Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1628 | 1628 | | |
1629 | 1629 | | |
1630 | 1630 | | |
| 1631 | + | |
| 1632 | + | |
| 1633 | + | |
| 1634 | + | |
| 1635 | + | |
| 1636 | + | |
| 1637 | + | |
| 1638 | + | |
1631 | 1639 | | |
1632 | 1640 | | |
1633 | 1641 | | |
| |||
0 commit comments